Previous coverage on this breach can be found here and here.
The S.C. Department of Health and Environmental Control continues to notify clients whose personal information was included on improperly discarded DHEC documents, the agency reported today.
“We’ve already mailed letters to individuals, but we don’t have complete mailing addresses for a small number of the clients,” DHEC Commissioner Earl Hunter said. “While we work to gather this information, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires us to issue a broad notification to the affected area.”
According to Hunter, private information of more than 1,800 people was included on DHEC documents that were discovered by a third party in a public, paper recycling container behind the DHEC building on Bull Street in Columbia. This third party gave the documents to another person, who returned them to DHEC.
“Agency policy requires that documents containing personal identifying information must be disposed of by shredding. Since these documents were not shredded according to agency policy, we requested that the State Law Enforcement Division (SLED) investigate this matter,” Hunter said. “During interviews with SLED, an employee admitted placing the documents into the recycling bin instead of taking them to the DHEC shredding facility. We immediately terminated this individual’s employment.
“We also reviewed our policies and procedures, and emphasized to staff their obligations to keep this information confidential. We now require tracking of documents until shredding has been completed,” Hunter said. “We take very seriously our responsibility to protect the confidentiality of personal and medical information about our clients and members of the public.”
Hunter said the documents from the recycling container include patient information submitted to DHEC to determine eligibility for payment by three agency programs to private health care providers. These three programs include: the Best Chance Network program for breast and cervical cancer screenings, the SCOPE (Screening Colonoscopies on People Everywhere) program for colorectal screenings, and other screenings through the WISEWOMAN (Well-Integrated Screening and Evaluation for Women Across the Nation) program. Private health care providers submitted most of the information to DHEC between Jan. 8 and Feb. 17, 2010.
The information submitted to DHEC varied according to the type of program. It might have included: name; address; telephone number; date of birth; gender; race; type of appointment; income level; Social Security number; a brief medical history related to breast or cervical cancer screenings, colorectal cancer risks, or heart disease risk; blood pressure; weight and height; radiology reports, laboratory reports, results of colorectal screenings; bills for program-paid services; and/or the physician’s name.
“We’ve notified 1,824 individuals whose information was returned to the agency from the recycling container. This notification was provided by a letter sent to the individual’s address as recorded in the agency or obtained from the private providers,” Hunter said. “We’ve also notified 1,026 individuals whose information was submitted to us for processing in these programs during this time period, even though the documents returned to us did not include information about these individuals. Since we can’t be certain that all of the documents have been recovered, it is possible that information about these individuals might also have been improperly placed in the recycling container.
“SLED says it doesn’t appear that this information was used for any criminal purpose, and no charges have been filed against the former employee,” Hunter said. “We’ve notified the three national credit reporting agencies and the S.C. Department of Consumer Affairs of this incident. As required by HIPAA, we’ve also reported this matter to the federal Department of Health and Human Services.”
According to Hunter, individuals who believe they might have had information submitted to one of these programs can contact DHEC at 1-866-859-6045 for more information on this matter and on steps they can take to protect their identity. They can also contact one of the three national credit reporting agencies for more information on how to protect their identity in the event someone has obtained their personal information:
*Equifax: 1-800-525-6285 or 1-888-766-0008; http://www.equifax.com; P.O. Box 740256, Atlanta, GA 30374-0256.
*Experian: 1-888-EXPERIAN (397-3742); http://www.experian.com; email: [email protected].
*TransUnion: 1-800-680-7289; http://www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790; email: [email protected].
Individuals can get a free credit report to see if anyone has tried to get credit using their information by going to the Web page at: https://www.annualcreditreport.com, or by calling 1-877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. Individuals can also contact the S.C. Department of Consumer Affairs at 1-800-922-1594 for information on steps to defend against identity theft.
Source: South Carolina Department of Health and Environmental Control
N.B. As of the time of this posting, this incident is not listed on OCR’s web site for breaches affecting more than 500 individuals.